accumulo-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From vi...@apache.org
Subject svn commit: r1438259 [3/3] - in /accumulo/branches/ACCUMULO-259: conf/examples/1GB/native-standalone/ conf/examples/1GB/standalone/ conf/examples/2GB/native-standalone/ conf/examples/2GB/standalone/ conf/examples/3GB/native-standalone/ conf/examples/3G...
Date Thu, 24 Jan 2013 23:17:05 GMT
Modified: accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/monitor/Monitor.java
URL: http://svn.apache.org/viewvc/accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/monitor/Monitor.java?rev=1438259&r1=1438258&r2=1438259&view=diff
==============================================================================
--- accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/monitor/Monitor.java
(original)
+++ accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/monitor/Monitor.java
Thu Jan 24 23:17:04 2013
@@ -41,6 +41,7 @@ import org.apache.accumulo.core.master.t
 import org.apache.accumulo.core.master.thrift.MasterMonitorInfo;
 import org.apache.accumulo.core.master.thrift.TableInfo;
 import org.apache.accumulo.core.master.thrift.TabletServerStatus;
+import org.apache.accumulo.core.security.SecurityUtil;
 import org.apache.accumulo.core.util.CachedConfiguration;
 import org.apache.accumulo.core.util.Daemon;
 import org.apache.accumulo.core.util.LoggingRunnable;
@@ -71,7 +72,6 @@ import org.apache.accumulo.server.monito
 import org.apache.accumulo.server.problems.ProblemReports;
 import org.apache.accumulo.server.problems.ProblemType;
 import org.apache.accumulo.server.security.SecurityConstants;
-import org.apache.accumulo.server.security.SecurityUtil;
 import org.apache.accumulo.server.util.EmbeddedWebServer;
 import org.apache.hadoop.fs.FileSystem;
 import org.apache.log4j.Logger;

Modified: accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/AuditedSecurityOperation.java
URL: http://svn.apache.org/viewvc/accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/AuditedSecurityOperation.java?rev=1438259&r1=1438258&r2=1438259&view=diff
==============================================================================
--- accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/AuditedSecurityOperation.java
(original)
+++ accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/AuditedSecurityOperation.java
Thu Jan 24 23:17:04 2013
@@ -44,16 +44,17 @@ public class AuditedSecurityOperation ex
   public AuditedSecurityOperation(Authorizor author, Authenticator authent, PermissionHandler
pm, String instanceId) {
     super(author, authent, pm, instanceId);
   }
-
+  
   public static final Logger log = Logger.getLogger(AuditedSecurityOperation.class);
   
-  public static synchronized SecurityOperation getInstance(String instanceId) {
+  public static synchronized SecurityOperation getInstance(String instanceId, boolean initialize)
{
     if (instance == null) {
-      instance = new AuditedSecurityOperation(getAuthorizor(instanceId), getAuthenticator(instanceId),
getPermHandler(instanceId), instanceId);
+      instance = new AuditedSecurityOperation(getAuthorizor(instanceId, initialize), getAuthenticator(instanceId,
initialize), getPermHandler(instanceId,
+          initialize), instanceId);
     }
     return instance;
   }
-
+  
   private void audit(InstanceTokenWrapper credentials, ThriftSecurityException ex, String
template, Object... args) {
     log.log(AuditLevel.AUDIT, "Error: authenticated operation failed: " + credentials.getPrincipal()
+ ": " + String.format(template, args));
   }
@@ -76,7 +77,8 @@ public class AuditedSecurityOperation ex
       return result;
     } catch (ThriftSecurityException ex) {
       audit(credentials, ex, "authenticateUser");
-      throw ex;
+      log.debug(ex);
+   throw ex;
     }
   }
   
@@ -93,9 +95,10 @@ public class AuditedSecurityOperation ex
       return result;
     } catch (ThriftSecurityException ex) {
       audit(credentials, ex, "getting authorizations for %s", user);
+      log.debug(ex);
       throw ex;
     }
-
+    
   }
   
   /**
@@ -104,7 +107,12 @@ public class AuditedSecurityOperation ex
    * @throws ThriftSecurityException
    */
   public Authorizations getUserAuthorizations(InstanceTokenWrapper credentials) throws ThriftSecurityException
{
-    return getUserAuthorizations(credentials, credentials.getPrincipal());
+    try {
+      return getUserAuthorizations(credentials, credentials.getPrincipal());
+    } catch (ThriftSecurityException ex) {
+      log.debug(ex);
+      throw ex;
+    }
   }
   
   /**
@@ -119,7 +127,8 @@ public class AuditedSecurityOperation ex
       audit(credentials, "changed authorizations for %s to %s", user, authorizations);
     } catch (ThriftSecurityException ex) {
       audit(credentials, ex, "changing authorizations for %s", user);
-      throw ex;
+      log.debug(ex);
+    throw ex;
     }
   }
   
@@ -135,7 +144,8 @@ public class AuditedSecurityOperation ex
       audit(credentials, "changed password for %s", token.getPrincipal());
     } catch (ThriftSecurityException ex) {
       audit(credentials, ex, "changing password for %s", token.getPrincipal());
-      throw ex;
+      log.debug(ex);
+  throw ex;
     }
   }
   
@@ -152,7 +162,8 @@ public class AuditedSecurityOperation ex
       audit(credentials, "createUser");
     } catch (ThriftSecurityException ex) {
       audit(credentials, ex, "createUser %s", token.getPrincipal());
-      throw ex;
+      log.debug(ex);
+  throw ex;
     }
   }
   
@@ -167,7 +178,8 @@ public class AuditedSecurityOperation ex
       audit(credentials, "dropUser");
     } catch (ThriftSecurityException ex) {
       audit(credentials, ex, "dropUser %s", user);
-      throw ex;
+      log.debug(ex);
+  throw ex;
     }
   }
   
@@ -183,6 +195,7 @@ public class AuditedSecurityOperation ex
       audit(credentials, "granted permission %s for %s", permission, user);
     } catch (ThriftSecurityException ex) {
       audit(credentials, ex, "granting permission %s for %s", permission, user);
+      log.debug(ex);
       throw ex;
     }
   }
@@ -200,6 +213,7 @@ public class AuditedSecurityOperation ex
       audit(credentials, "granted permission %s on table %s for %s", permission, table, user);
     } catch (ThriftSecurityException ex) {
       audit(credentials, ex, "granting permission %s on table for %s", permission, table,
user);
+      log.debug(ex);
       throw ex;
     }
   }
@@ -216,6 +230,7 @@ public class AuditedSecurityOperation ex
       audit(credentials, "revoked permission %s for %s", permission, user);
     } catch (ThriftSecurityException ex) {
       audit(credentials, ex, "revoking permission %s on %s", permission, user);
+      log.debug(ex);
       throw ex;
     }
   }
@@ -233,6 +248,7 @@ public class AuditedSecurityOperation ex
       audit(credentials, "revoked permission %s on table %s for %s", permission, table, user);
     } catch (ThriftSecurityException ex) {
       audit(credentials, ex, "revoking permission %s on table for %s", permission, table,
user);
+      log.debug(ex);
       throw ex;
     }
   }
@@ -251,6 +267,7 @@ public class AuditedSecurityOperation ex
       return result;
     } catch (ThriftSecurityException ex) {
       audit(credentials, ex, "checking permission %s on %s", permission, user);
+      log.debug(ex);
       throw ex;
     }
   }
@@ -270,6 +287,7 @@ public class AuditedSecurityOperation ex
       return result;
     } catch (ThriftSecurityException ex) {
       audit(credentials, ex, "checking permission %s on %s", permission, user);
+      log.debug(ex);
       throw ex;
     }
   }
@@ -286,6 +304,7 @@ public class AuditedSecurityOperation ex
       return result;
     } catch (ThriftSecurityException ex) {
       audit(credentials, ex, "listUsers");
+      log.debug(ex);
       throw ex;
     }
   }
@@ -301,13 +320,14 @@ public class AuditedSecurityOperation ex
       audit(credentials, "deleted table %s", table);
     } catch (ThriftSecurityException ex) {
       audit(credentials, ex, "deleting table %s", table);
-      throw ex;
+      log.debug(ex);
+  throw ex;
     }
   }
-
+  
   @Override
   public void initializeSecurity(InstanceTokenWrapper credentials, AccumuloToken<?,?>
token) throws AccumuloSecurityException, ThriftSecurityException {
     super.initializeSecurity(credentials, token);
-    log.info("Initialized root user with username: " + token.getPrincipal()+ " at the request
of user " + credentials.getPrincipal());
+    log.info("Initialized root user with username: " + token.getPrincipal() + " at the request
of user " + credentials.getPrincipal());
   }
 }

Modified: accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/SecurityOperation.java
URL: http://svn.apache.org/viewvc/accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/SecurityOperation.java?rev=1438259&r1=1438258&r2=1438259&view=diff
==============================================================================
--- accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/SecurityOperation.java
(original)
+++ accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/SecurityOperation.java
Thu Jan 24 23:17:04 2013
@@ -55,44 +55,43 @@ public class SecurityOperation {
   private static String rootUserName = null;
   private final ZooCache zooCache;
   private final String ZKUserPath;
-
-  private String instanceId;
   
   protected static SecurityOperation instance;
   
   public static synchronized SecurityOperation getInstance() {
     String instanceId = HdfsZooInstance.getInstance().getInstanceID();
-    return getInstance(instanceId);
+    return getInstance(instanceId, false);
   }
   
-  public static synchronized SecurityOperation getInstance(String instanceId) {
+  public static synchronized SecurityOperation getInstance(String instanceId, boolean initialize)
{
     if (instance == null) {
-      instance = new SecurityOperation(getAuthorizor(instanceId), getAuthenticator(instanceId),
getPermHandler(instanceId), instanceId);
+      instance = new SecurityOperation(getAuthorizor(instanceId, initialize), getAuthenticator(instanceId,
initialize), getPermHandler(instanceId, initialize),
+          instanceId);
     }
     return instance;
   }
   
   @SuppressWarnings("deprecation")
-  protected static Authorizor getAuthorizor(String instanceId) {
+  protected static Authorizor getAuthorizor(String instanceId, boolean initialize) {
     Authorizor toRet = Master.createInstanceFromPropertyName(AccumuloConfiguration.getSiteConfiguration(),
Property.INSTANCE_SECURITY_AUTHORIZOR,
         Authorizor.class, ZKAuthorizor.getInstance());
-    toRet.initialize(instanceId);
+    toRet.initialize(instanceId, initialize);
     return toRet;
   }
   
   @SuppressWarnings("deprecation")
-  protected static Authenticator getAuthenticator(String instanceId) {
+  protected static Authenticator getAuthenticator(String instanceId, boolean initialize)
{
     Authenticator toRet = Master.createInstanceFromPropertyName(AccumuloConfiguration.getSiteConfiguration(),
Property.INSTANCE_SECURITY_AUTHENTICATOR,
         Authenticator.class, ZKAuthenticator.getInstance());
-    toRet.initialize(instanceId);
+    toRet.initialize(instanceId, initialize);
     return toRet;
   }
   
   @SuppressWarnings("deprecation")
-  protected static PermissionHandler getPermHandler(String instanceId) {
+  protected static PermissionHandler getPermHandler(String instanceId, boolean initialize)
{
     PermissionHandler toRet = Master.createInstanceFromPropertyName(AccumuloConfiguration.getSiteConfiguration(),
         Property.INSTANCE_SECURITY_PERMISSION_HANDLER, PermissionHandler.class, ZKPermHandler.getInstance());
-    toRet.initialize(instanceId);
+    toRet.initialize(instanceId, initialize);
     return toRet;
   }
   
@@ -101,7 +100,6 @@ public class SecurityOperation {
    * @Deprecated not for client use
    */
   public SecurityOperation(String instanceId) {
-    this.instanceId = instanceId;
     ZKUserPath = Constants.ZROOT + "/" + instanceId + "/users";
     zooCache = new ZooCache();
   }
@@ -145,19 +143,18 @@ public class SecurityOperation {
     if (!credentials.getInstance().equals(HdfsZooInstance.getInstance().getInstanceID()))
       throw new ThriftSecurityException(credentials.getPrincipal(), SecurityErrorCode.INVALID_INSTANCEID);
     
-    if (credentials.getPrincipal().equals(SecurityConstants.SYSTEM_USERNAME)) {
-      if (SecurityConstants.getSystemCredentials().getToken().equals(credentials.getToken())
-          && instanceId.equals(SecurityConstants.getSystemCredentials().getInstance()))
-        return;
-      else
-        throw new ThriftSecurityException(credentials.getPrincipal(), SecurityErrorCode.BAD_CREDENTIALS);
+    if (SecurityConstants.getSystemCredentials().equals(credentials))
+      return;
+    else if (credentials.getPrincipal().equals(SecurityConstants.SYSTEM_USERNAME)) {
+      throw new ThriftSecurityException(credentials.getPrincipal(), SecurityErrorCode.BAD_CREDENTIALS);
     }
-    
+        
     try {
       if (!authenticator.authenticateUser(credentials.getToken())) {
         throw new ThriftSecurityException(credentials.getPrincipal(), SecurityErrorCode.BAD_CREDENTIALS);
       }
     } catch (AccumuloSecurityException e) {
+      log.debug(e);
       throw e.asThriftException();
     }
   }
@@ -178,11 +175,14 @@ public class SecurityOperation {
    */
   public boolean authenticateUser(InstanceTokenWrapper credentials, AccumuloToken<?,?>
token) throws ThriftSecurityException {
     canAskAboutUser(credentials, token.getPrincipal());
+    // User is already authenticated from canAskAboutUser, this gets around issues with !SYSTEM
user
+    if (credentials.getToken().equals(token))
+      return true;
     try {
       return authenticator.authenticateUser(token);
     } catch (AccumuloSecurityException e) {
       throw e.asThriftException();
-    }    
+    }
   }
   
   /**
@@ -282,8 +282,12 @@ public class SecurityOperation {
     if (user.equals(SecurityConstants.SYSTEM_USERNAME) || user.equals(getRootUsername()))
       return;
     
-    if (!authenticator.userExists(user))
-      throw new ThriftSecurityException(user, SecurityErrorCode.USER_DOESNT_EXIST);
+    try {
+      if (!authenticator.userExists(user))
+        throw new ThriftSecurityException(user, SecurityErrorCode.USER_DOESNT_EXIST);
+    } catch (AccumuloSecurityException e) {
+      throw e.asThriftException();
+    }
   }
   
   /**

Modified: accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/handler/Authenticator.java
URL: http://svn.apache.org/viewvc/accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/handler/Authenticator.java?rev=1438259&r1=1438258&r2=1438259&view=diff
==============================================================================
--- accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/handler/Authenticator.java
(original)
+++ accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/handler/Authenticator.java
Thu Jan 24 23:17:04 2013
@@ -30,7 +30,7 @@ import org.apache.accumulo.core.security
 
 public interface Authenticator {
   
-  public void initialize(String instanceId);
+  public void initialize(String instanceId, boolean initialize);
 
   public boolean validSecurityHandlers(Authorizor auth, PermissionHandler pm);
 
@@ -46,7 +46,7 @@ public interface Authenticator {
   
   public void changePassword(AccumuloToken<?,?> user) throws AccumuloSecurityException;
   
-  public boolean userExists(String user);
+  public boolean userExists(String user) throws AccumuloSecurityException;
 
   public String getTokenClassName();
 }

Modified: accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/handler/Authorizor.java
URL: http://svn.apache.org/viewvc/accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/handler/Authorizor.java?rev=1438259&r1=1438258&r2=1438259&view=diff
==============================================================================
--- accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/handler/Authorizor.java
(original)
+++ accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/handler/Authorizor.java
Thu Jan 24 23:17:04 2013
@@ -31,7 +31,7 @@ public interface Authorizor {
    * 
    * @param instanceId
    */
-  public void initialize(String instanceId);
+  public void initialize(String instanceId, boolean initialize);
 
   /**
    * Used to validate that the Authorizor, Authenticator, and permission handler can coexist

Modified: accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/handler/InsecureAuthenticator.java
URL: http://svn.apache.org/viewvc/accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/handler/InsecureAuthenticator.java?rev=1438259&r1=1438258&r2=1438259&view=diff
==============================================================================
--- accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/handler/InsecureAuthenticator.java
(original)
+++ accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/handler/InsecureAuthenticator.java
Thu Jan 24 23:17:04 2013
@@ -33,7 +33,7 @@ public class InsecureAuthenticator imple
    * @see org.apache.accumulo.server.security.handler.Authenticator#initialize(java.lang.String)
    */
   @Override
-  public void initialize(String instanceId) {
+  public void initialize(String instanceId, boolean initialize) {
     return;
   }
   

Modified: accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/handler/InsecurePermHandler.java
URL: http://svn.apache.org/viewvc/accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/handler/InsecurePermHandler.java?rev=1438259&r1=1438258&r2=1438259&view=diff
==============================================================================
--- accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/handler/InsecurePermHandler.java
(original)
+++ accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/handler/InsecurePermHandler.java
Thu Jan 24 23:17:04 2013
@@ -31,7 +31,7 @@ public class InsecurePermHandler impleme
    * @see org.apache.accumulo.server.security.handler.PermissionHandler#initialize(java.lang.String)
    */
   @Override
-  public void initialize(String instanceId) {
+  public void initialize(String instanceId, boolean initialize) {
     return;
   }
   

Modified: accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/handler/PermissionHandler.java
URL: http://svn.apache.org/viewvc/accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/handler/PermissionHandler.java?rev=1438259&r1=1438258&r2=1438259&view=diff
==============================================================================
--- accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/handler/PermissionHandler.java
(original)
+++ accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/handler/PermissionHandler.java
Thu Jan 24 23:17:04 2013
@@ -33,7 +33,7 @@ public interface PermissionHandler {
    * 
    * @param instanceId
    */
-  public void initialize(String instanceId);
+  public void initialize(String instanceId, boolean initialize);
   
   /**
    * Used to validate that the Authorizor, Authenticator, and permission handler can coexist

Modified: accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/handler/ZKAuthenticator.java
URL: http://svn.apache.org/viewvc/accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/handler/ZKAuthenticator.java?rev=1438259&r1=1438258&r2=1438259&view=diff
==============================================================================
--- accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/handler/ZKAuthenticator.java
(original)
+++ accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/handler/ZKAuthenticator.java
Thu Jan 24 23:17:04 2013
@@ -52,7 +52,7 @@ public final class ZKAuthenticator imple
     zooCache = new ZooCache();
   }
   
-  public void initialize(String instanceId) {
+  public void initialize(String instanceId, boolean initialize) {
     ZKUserPath = Constants.ZROOT + "/" + instanceId + "/users";
   }
   

Modified: accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/handler/ZKAuthorizor.java
URL: http://svn.apache.org/viewvc/accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/handler/ZKAuthorizor.java?rev=1438259&r1=1438258&r2=1438259&view=diff
==============================================================================
--- accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/handler/ZKAuthorizor.java
(original)
+++ accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/handler/ZKAuthorizor.java
Thu Jan 24 23:17:04 2013
@@ -40,9 +40,9 @@ import org.apache.zookeeper.KeeperExcept
 public class ZKAuthorizor implements Authorizor {
   private static final Logger log = Logger.getLogger(ZKAuthorizor.class);
   private static Authorizor zkAuthorizorInstance = null;
-
+  
   private final String ZKUserAuths = "/Authorizations";
-
+  
   private String ZKUserPath;
   private final ZooCache zooCache;
   
@@ -51,22 +51,22 @@ public class ZKAuthorizor implements Aut
       zkAuthorizorInstance = new ZKAuthorizor();
     return zkAuthorizorInstance;
   }
-
+  
   public ZKAuthorizor() {
     zooCache = new ZooCache();
   }
   
-  public void initialize(String instanceId) {
+  public void initialize(String instanceId, boolean initialize) {
     ZKUserPath = ZKSecurityTool.getInstancePath(instanceId) + "/users";
   }
-
+  
   public Authorizations getCachedUserAuthorizations(String user) {
     byte[] authsBytes = zooCache.get(ZKUserPath + "/" + user + ZKUserAuths);
     if (authsBytes != null)
       return ZKSecurityTool.convertAuthorizations(authsBytes);
     return Constants.NO_AUTHS;
   }
-
+  
   @Override
   public boolean validSecurityHandlers(Authenticator auth, PermissionHandler pm) {
     return true;
@@ -75,7 +75,7 @@ public class ZKAuthorizor implements Aut
   @Override
   public void initializeSecurity(InstanceTokenWrapper itw, String rootuser) throws AccumuloSecurityException
{
     IZooReaderWriter zoo = ZooReaderWriter.getRetryingInstance();
-
+    
     // create the root user with all system privileges, no table privileges, and no record-level
authorizations
     Set<SystemPermission> rootPerms = new TreeSet<SystemPermission>();
     for (SystemPermission p : SystemPermission.values())
@@ -85,6 +85,10 @@ public class ZKAuthorizor implements Aut
     tablePerms.put(Constants.METADATA_TABLE_ID, Collections.singleton(TablePermission.ALTER_TABLE));
     
     try {
+      // prep parent node of users with root username
+      if (!zoo.exists(ZKUserPath))
+        zoo.putPersistentData(ZKUserPath, rootuser.getBytes(), NodeExistsPolicy.FAIL);
+      
       initUser(rootuser);
       zoo.putPersistentData(ZKUserPath + "/" + rootuser + ZKUserAuths, ZKSecurityTool.convertAuthorizations(Constants.NO_AUTHS),
NodeExistsPolicy.FAIL);
     } catch (KeeperException e) {
@@ -149,5 +153,5 @@ public class ZKAuthorizor implements Aut
       throw new RuntimeException(e);
     }
   }
-
+  
 }

Modified: accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/handler/ZKPermHandler.java
URL: http://svn.apache.org/viewvc/accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/handler/ZKPermHandler.java?rev=1438259&r1=1438258&r2=1438259&view=diff
==============================================================================
--- accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/handler/ZKPermHandler.java
(original)
+++ accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/security/handler/ZKPermHandler.java
Thu Jan 24 23:17:04 2013
@@ -50,21 +50,21 @@ public class ZKPermHandler implements Pe
   private final ZooCache zooCache;
   private final String ZKUserSysPerms = "/System";
   private final String ZKUserTablePerms = "/Tables";
-
+  
   public static synchronized PermissionHandler getInstance() {
     if (zkPermHandlerInstance == null)
       zkPermHandlerInstance = new ZKPermHandler();
     return zkPermHandlerInstance;
   }
-
-  public void initialize(String instanceId) {
+  
+  public void initialize(String instanceId, boolean initialize) {
     ZKUserPath = ZKSecurityTool.getInstancePath(instanceId) + "/users";
   }
-
+  
   public ZKPermHandler() {
     zooCache = new ZooCache();
   }
-
+  
   @Override
   public boolean hasTablePermission(String user, String table, TablePermission permission)
{
     byte[] serializedPerms;
@@ -94,7 +94,7 @@ public class ZKPermHandler implements Pe
     }
     return false;
   }
-
+  
   @Override
   public void grantSystemPermission(String user, SystemPermission permission) throws AccumuloSecurityException
{
     try {
@@ -235,6 +235,10 @@ public class ZKPermHandler implements Pe
     tablePerms.put(Constants.METADATA_TABLE_ID, Collections.singleton(TablePermission.ALTER_TABLE));
     
     try {
+      // prep parent node of users with root username
+      if (!zoo.exists(ZKUserPath))
+        zoo.putPersistentData(ZKUserPath, rootuser.getBytes(), NodeExistsPolicy.FAIL);
+      
       initUser(rootuser);
       zoo.putPersistentData(ZKUserPath + "/" + rootuser + ZKUserSysPerms, ZKSecurityTool.convertSystemPermissions(rootPerms),
NodeExistsPolicy.FAIL);
       for (Entry<String,Set<TablePermission>> entry : tablePerms.entrySet())
@@ -265,7 +269,7 @@ public class ZKPermHandler implements Pe
       throw new RuntimeException(e);
     }
   }
-
+  
   /**
    * Sets up a new table configuration for the provided user/table. No checking for existence
is done here, it should be done before calling.
    */
@@ -331,7 +335,7 @@ public class ZKPermHandler implements Pe
   public boolean validSecurityHandlers(Authenticator authent, Authorizor author) {
     return true;
   }
-
+  
   @Override
   public void initTable(String table) throws AccumuloSecurityException {
     // All proper housekeeping is done on delete and permission granting, no work needs to
be done here

Modified: accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/tabletserver/TabletServer.java
URL: http://svn.apache.org/viewvc/accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/tabletserver/TabletServer.java?rev=1438259&r1=1438258&r2=1438259&view=diff
==============================================================================
--- accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/tabletserver/TabletServer.java
(original)
+++ accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/tabletserver/TabletServer.java
Thu Jan 24 23:17:04 2013
@@ -106,6 +106,7 @@ import org.apache.accumulo.core.master.t
 import org.apache.accumulo.core.master.thrift.TabletLoadState;
 import org.apache.accumulo.core.master.thrift.TabletServerStatus;
 import org.apache.accumulo.core.security.Authorizations;
+import org.apache.accumulo.core.security.SecurityUtil;
 import org.apache.accumulo.core.security.thrift.SecurityErrorCode;
 import org.apache.accumulo.core.security.thrift.ThriftInstanceTokenWrapper;
 import org.apache.accumulo.core.security.thrift.ThriftSecurityException;
@@ -159,7 +160,6 @@ import org.apache.accumulo.server.proble
 import org.apache.accumulo.server.security.AuditedSecurityOperation;
 import org.apache.accumulo.server.security.SecurityConstants;
 import org.apache.accumulo.server.security.SecurityOperation;
-import org.apache.accumulo.server.security.SecurityUtil;
 import org.apache.accumulo.server.tabletserver.Compactor.CompactionInfo;
 import org.apache.accumulo.server.tabletserver.Tablet.CommitSession;
 import org.apache.accumulo.server.tabletserver.Tablet.KVEntry;
@@ -718,7 +718,7 @@ public class TabletServer extends Abstra
     public Tablet currentTablet;
     public MapCounter<Tablet> successfulCommits = new MapCounter<Tablet>();
     Map<KeyExtent,Long> failures = new HashMap<KeyExtent,Long>();
-    HashMap<KeyExtent, SecurityErrorCode> authFailures = new HashMap<KeyExtent,
SecurityErrorCode>();
+    HashMap<KeyExtent,SecurityErrorCode> authFailures = new HashMap<KeyExtent,SecurityErrorCode>();
     public Violations violations;
     public InstanceTokenWrapper credentials;
     public long totalUpdates = 0;
@@ -1255,7 +1255,7 @@ public class TabletServer extends Abstra
         tables.add(new String(keyExtent.getTable()));
       }
       InstanceTokenWrapper itw = new InstanceTokenWrapper(credentials);
-
+      
       // check if user has permission to the tables
       Authorizations userauths = null;
       for (String table : tables)
@@ -1375,7 +1375,7 @@ public class TabletServer extends Abstra
     public long startUpdate(TInfo tinfo, ThriftInstanceTokenWrapper credentials) throws ThriftSecurityException
{
       // Make sure user is real
       InstanceTokenWrapper itw = new InstanceTokenWrapper(credentials);
-
+      
       security.authenticateUser(itw, itw.getToken());
       if (updateMetrics.isEnabled())
         updateMetrics.add(TabletServerUpdateMetrics.permissionErrors, 0);
@@ -1641,17 +1641,16 @@ public class TabletServer extends Abstra
         log.debug(String.format("Authentication Failures: %d, first %s", us.authFailures.size(),
first.toString()));
       }
       
-      return new UpdateErrors(Translator.translate(us.failures, Translator.KET), Translator.translate(violations,
Translator.CVST), Translator.translate(us.authFailures, Translator.KET));
+      return new UpdateErrors(Translator.translate(us.failures, Translator.KET), Translator.translate(violations,
Translator.CVST), Translator.translate(
+          us.authFailures, Translator.KET));
     }
     
     @Override
     public void update(TInfo tinfo, ThriftInstanceTokenWrapper credentials, TKeyExtent tkeyExtent,
TMutation tmutation) throws NotServingTabletException,
         ConstraintViolationException, ThriftSecurityException {
       InstanceTokenWrapper itw = new InstanceTokenWrapper(credentials);
-
       if (!security.canWrite(itw, new String(tkeyExtent.getTable())))
         throw new ThriftSecurityException(itw.getPrincipal(), SecurityErrorCode.PERMISSION_DENIED);
-      
       KeyExtent keyExtent = new KeyExtent(tkeyExtent);
       Tablet tablet = onlineTablets.get(new KeyExtent(keyExtent));
       if (tablet == null) {
@@ -1696,10 +1695,10 @@ public class TabletServer extends Abstra
     }
     
     @Override
-    public void splitTablet(TInfo tinfo, ThriftInstanceTokenWrapper credentials, TKeyExtent
tkeyExtent, ByteBuffer splitPoint) throws NotServingTabletException,
-        ThriftSecurityException {
+    public void splitTablet(TInfo tinfo, ThriftInstanceTokenWrapper credentials, TKeyExtent
tkeyExtent, ByteBuffer splitPoint)
+        throws NotServingTabletException, ThriftSecurityException {
       InstanceTokenWrapper itw = new InstanceTokenWrapper(credentials);
-
+      
       String tableId = new String(ByteBufferUtil.toBytes(tkeyExtent.table));
       if (!security.canSplitTablet(itw, tableId))
         throw new ThriftSecurityException(itw.getPrincipal(), SecurityErrorCode.PERMISSION_DENIED);
@@ -1755,7 +1754,8 @@ public class TabletServer extends Abstra
     
     private ZooCache masterLockCache = new ZooCache();
     
-    private void checkPermission(InstanceTokenWrapper credentials, String lock, boolean requiresSystemPermission,
final String request) throws ThriftSecurityException {
+    private void checkPermission(InstanceTokenWrapper credentials, String lock, boolean requiresSystemPermission,
final String request)
+        throws ThriftSecurityException {
       if (requiresSystemPermission) {
         boolean fatal = false;
         try {
@@ -1820,7 +1820,7 @@ public class TabletServer extends Abstra
     @Override
     public void loadTablet(TInfo tinfo, ThriftInstanceTokenWrapper credentials, String lock,
final TKeyExtent textent) {
       InstanceTokenWrapper itw = new InstanceTokenWrapper(credentials);
-
+      
       try {
         checkPermission(itw, lock, true, "loadTablet");
       } catch (ThriftSecurityException e) {
@@ -2019,7 +2019,8 @@ public class TabletServer extends Abstra
     }
     
     @Override
-    public void compact(TInfo tinfo, ThriftInstanceTokenWrapper credentials, String lock,
String tableId, ByteBuffer startRow, ByteBuffer endRow) throws TException {
+    public void compact(TInfo tinfo, ThriftInstanceTokenWrapper credentials, String lock,
String tableId, ByteBuffer startRow, ByteBuffer endRow)
+        throws TException {
       try {
         checkPermission(new InstanceTokenWrapper(credentials), lock, true, "compact");
       } catch (ThriftSecurityException e) {
@@ -2050,9 +2051,9 @@ public class TabletServer extends Abstra
           }
         tablet.compactAll(compactionId);
       }
-
+      
     }
-
+    
     /*
      * (non-Javadoc)
      * 
@@ -3070,7 +3071,7 @@ public class TabletServer extends Abstra
           
           String uris = null;
           boolean preDelegate = true;
-
+          
           Iterator<Entry<String,String>> iter = getSystemConfiguration().iterator();
           while (iter.hasNext()) {
             Entry<String,String> entry = iter.next();
@@ -3085,7 +3086,7 @@ public class TabletServer extends Abstra
           
           if (uris != null)
             return new ContextConfig(uris, preDelegate);
-
+          
           return null;
         }
       });

Modified: accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/test/randomwalk/security/WalkingSecurity.java
URL: http://svn.apache.org/viewvc/accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/test/randomwalk/security/WalkingSecurity.java?rev=1438259&r1=1438258&r2=1438259&view=diff
==============================================================================
--- accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/test/randomwalk/security/WalkingSecurity.java
(original)
+++ accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/test/randomwalk/security/WalkingSecurity.java
Thu Jan 24 23:17:04 2013
@@ -88,7 +88,7 @@ public class WalkingSecurity extends Sec
   }
   
   @Override
-  public void initialize(String instanceId) {
+  public void initialize(String instanceId, boolean initialize) {
     throw new UnsupportedOperationException("nope");
   }
   

Modified: accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/trace/TraceServer.java
URL: http://svn.apache.org/viewvc/accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/trace/TraceServer.java?rev=1438259&r1=1438258&r2=1438259&view=diff
==============================================================================
--- accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/trace/TraceServer.java
(original)
+++ accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/trace/TraceServer.java
Thu Jan 24 23:17:04 2013
@@ -37,6 +37,7 @@ import org.apache.accumulo.core.conf.Pro
 import org.apache.accumulo.core.data.Mutation;
 import org.apache.accumulo.core.data.Value;
 import org.apache.accumulo.core.file.FileUtil;
+import org.apache.accumulo.core.security.SecurityUtil;
 import org.apache.accumulo.core.trace.TraceFormatter;
 import org.apache.accumulo.core.util.AddressUtil;
 import org.apache.accumulo.core.util.CachedConfiguration;
@@ -46,7 +47,6 @@ import org.apache.accumulo.fate.zookeepe
 import org.apache.accumulo.server.Accumulo;
 import org.apache.accumulo.server.client.HdfsZooInstance;
 import org.apache.accumulo.server.conf.ServerConfiguration;
-import org.apache.accumulo.server.security.SecurityUtil;
 import org.apache.accumulo.server.util.time.SimpleTimer;
 import org.apache.accumulo.server.zookeeper.ZooReaderWriter;
 import org.apache.hadoop.fs.FileSystem;

Modified: accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/util/Initialize.java
URL: http://svn.apache.org/viewvc/accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/util/Initialize.java?rev=1438259&r1=1438258&r2=1438259&view=diff
==============================================================================
--- accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/util/Initialize.java
(original)
+++ accumulo/branches/ACCUMULO-259/server/src/main/java/org/apache/accumulo/server/util/Initialize.java
Thu Jan 24 23:17:04 2013
@@ -39,6 +39,7 @@ import org.apache.accumulo.core.file.Fil
 import org.apache.accumulo.core.iterators.user.VersioningIterator;
 import org.apache.accumulo.core.master.state.tables.TableState;
 import org.apache.accumulo.core.master.thrift.MasterGoalState;
+import org.apache.accumulo.core.security.SecurityUtil;
 import org.apache.accumulo.core.security.thrift.ThriftSecurityException;
 import org.apache.accumulo.core.security.tokens.UserPassToken;
 import org.apache.accumulo.core.util.CachedConfiguration;
@@ -54,7 +55,6 @@ import org.apache.accumulo.server.iterat
 import org.apache.accumulo.server.master.state.tables.TableManager;
 import org.apache.accumulo.server.security.AuditedSecurityOperation;
 import org.apache.accumulo.server.security.SecurityConstants;
-import org.apache.accumulo.server.security.SecurityUtil;
 import org.apache.accumulo.server.tabletserver.TabletTime;
 import org.apache.accumulo.server.zookeeper.ZooReaderWriter;
 import org.apache.hadoop.conf.Configuration;
@@ -74,7 +74,7 @@ import com.beust.jcommander.Parameter;
  */
 public class Initialize {
   private static final Logger log = Logger.getLogger(Initialize.class);
-  private static final String ROOT_USER = "root";
+  private static final String DEFAULT_ROOT_USER = "root";
   
   private static ConsoleReader reader = null;
   
@@ -159,6 +159,7 @@ public class Initialize {
       log.fatal("Failed to talk to zookeeper", e);
       return false;
     }
+    opts.rootuser = getRootUser(opts);
     opts.rootpass = getRootPassword(opts);
     return initialize(opts, instanceNamePath, fs);
   }
@@ -402,6 +403,19 @@ public class Initialize {
     return instanceNamePath;
   }
   
+  private static String getRootUser(Opts opts) throws IOException {
+    if (opts.cliUser != null) {
+      return opts.cliUser;
+    }
+    String rootuser;
+    rootuser = getConsoleReader().readLine("Enter name for initial root user ( " + DEFAULT_ROOT_USER
+ "): ", '*');
+    if (rootuser == null)
+      System.exit(0);
+    if (rootuser.equals(""))
+      return DEFAULT_ROOT_USER;
+    return rootuser;
+  }
+  
   private static byte[] getRootPassword(Opts opts) throws IOException {
     if (opts.cliPassword != null) {
       return opts.cliPassword.getBytes();
@@ -409,10 +423,10 @@ public class Initialize {
     String rootpass;
     String confirmpass;
     do {
-      rootpass = getConsoleReader().readLine("Enter initial password for " + ROOT_USER +
": ", '*');
+      rootpass = getConsoleReader().readLine("Enter initial password for " + opts.rootuser
+ " (this may not be applicable for your security setup): ", '*');
       if (rootpass == null)
         System.exit(0);
-      confirmpass = getConsoleReader().readLine("Confirm initial password for " + ROOT_USER
+ ": ", '*');
+      confirmpass = getConsoleReader().readLine("Confirm initial password for " + opts.rootuser
+ ": ", '*');
       if (confirmpass == null)
         System.exit(0);
       if (!rootpass.equals(confirmpass))
@@ -422,7 +436,7 @@ public class Initialize {
   }
   
   private static void initSecurity(Opts opts, String iid) throws AccumuloSecurityException,
ThriftSecurityException {
-    AuditedSecurityOperation.getInstance(iid).initializeSecurity(SecurityConstants.getSystemCredentials(),
new UserPassToken(ROOT_USER, opts.rootpass));
+    AuditedSecurityOperation.getInstance(iid, true).initializeSecurity(SecurityConstants.getSystemCredentials(),
new UserPassToken(opts.rootuser, opts.rootpass));
   }
   
   protected static void initMetadataConfig() throws IOException {
@@ -447,7 +461,7 @@ public class Initialize {
   private static void setMetadataReplication(int replication, String reason) throws IOException
{
     String rep = getConsoleReader().readLine(
         "Your HDFS replication " + reason
-            + " is not compatible with our default !METADATA replication of 5. What do you
want to set your !METADATA replication to? (" + replication + ") ");
+        + " is not compatible with our default !METADATA replication of 5. What do you want
to set your !METADATA replication to? (" + replication + ") ");
     if (rep == null || rep.length() == 0)
       rep = Integer.toString(replication);
     else
@@ -469,8 +483,11 @@ public class Initialize {
     String cliInstanceName;
     @Parameter(names = "--password", description = "set the password on the command line")
     String cliPassword;
+    @Parameter(names = "--username", description = "set the root username on the command
line")
+    String cliUser;
     
     byte[] rootpass = null;
+    String rootuser = null;
   }
   
   public static void main(String[] args) {
@@ -487,6 +504,7 @@ public class Initialize {
       
       if (justSecurity) {
         if (isInitialized(fs)) {
+          opts.rootuser = getRootUser(opts);
           opts.rootpass = getRootPassword(opts);
           initSecurity(opts, HdfsZooInstance.getInstance().getInstanceID());
         } else {

Modified: accumulo/branches/ACCUMULO-259/test/src/main/java/org/apache/accumulo/test/MiniAccumuloCluster.java
URL: http://svn.apache.org/viewvc/accumulo/branches/ACCUMULO-259/test/src/main/java/org/apache/accumulo/test/MiniAccumuloCluster.java?rev=1438259&r1=1438258&r2=1438259&view=diff
==============================================================================
--- accumulo/branches/ACCUMULO-259/test/src/main/java/org/apache/accumulo/test/MiniAccumuloCluster.java
(original)
+++ accumulo/branches/ACCUMULO-259/test/src/main/java/org/apache/accumulo/test/MiniAccumuloCluster.java
Thu Jan 24 23:17:04 2013
@@ -310,7 +310,7 @@ public class MiniAccumuloCluster {
     // sleep a little bit to let zookeeper come up before calling init, seems to work better
     UtilWaitThread.sleep(250);
     
-    Process initProcess = exec(Initialize.class, "--instance-name", INSTANCE_NAME, "--password",
config.getRootPassword());
+    Process initProcess = exec(Initialize.class, "--instance-name", INSTANCE_NAME, "--password",
config.getRootPassword(), "--username", "root");
     int ret = initProcess.waitFor();
     if (ret != 0) {
       throw new RuntimeException("Initialize process returned " + ret);



Mime
View raw message